Broaden gitleaks allowlist to exempt forgejo-mcp.md entirely #86

Closed
opened 2026-06-18 00:52:16 +00:00 by james · 0 comments
Owner

Follow-up from #77.

The narrow allowlist added in #77 only suppresses bare 64-hex-char strings inside forgejo-mcp.md. CI's pinned gitleaks (8.21.2) is still flagging other patterns in the file (rule packs and heuristics differ from local 8.30.1, where the same file currently shows no hits).

forgejo-mcp.md is a pure documentation walkthrough — example commands, hashes, scope strings — with no expectation that anything in it is a real secret. Per-pattern allowlist maintenance is more cost than it's worth here.

Scope

  • Replace the existing [[allowlists]] block with a broader one that exempts ^forgejo-mcp\.md$ regardless of content.
  • Keep condition = "AND" semantics moot by dropping the regexes constraint entirely (a single criterion is naturally AND/OR-equivalent).
  • Update the description to make the rationale obvious to future readers ("documentation file; no real secrets expected").

Acceptance criteria

  • .gitleaks.toml allowlist for forgejo-mcp.md matches the whole file, not just hex strings.
  • CI's secrets.yml workflow passes on the PR.
  • If real secrets ever land in this file, they'll only be caught by review — that's the acknowledged trade-off and is fine for a documentation walkthrough.

Part of epic #2. Follow-up from #77.

Follow-up from #77. The narrow allowlist added in #77 only suppresses bare 64-hex-char strings inside `forgejo-mcp.md`. CI's pinned gitleaks (8.21.2) is still flagging other patterns in the file (rule packs and heuristics differ from local 8.30.1, where the same file currently shows no hits). `forgejo-mcp.md` is a pure documentation walkthrough — example commands, hashes, scope strings — with no expectation that anything in it is a real secret. Per-pattern allowlist maintenance is more cost than it's worth here. ## Scope - Replace the existing `[[allowlists]]` block with a broader one that exempts `^forgejo-mcp\.md$` regardless of content. - Keep `condition = "AND"` semantics moot by dropping the `regexes` constraint entirely (a single criterion is naturally AND/OR-equivalent). - Update the description to make the rationale obvious to future readers ("documentation file; no real secrets expected"). ## Acceptance criteria - [ ] `.gitleaks.toml` allowlist for `forgejo-mcp.md` matches the whole file, not just hex strings. - [ ] CI's `secrets.yml` workflow passes on the PR. - [ ] If real secrets ever land in this file, they'll only be caught by review — that's the acknowledged trade-off and is fine for a documentation walkthrough. Part of epic #2. Follow-up from #77.
james closed this issue 2026-06-18 01:02:51 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#86
No description provided.